Microsoft Drops Stealthy Regenerating Supercookies from MSN

Researchers from Stanford and UC Berkeley recently publicized information about supercookies that continue tracking users even after the browser cookies have been deleted.

Microsoft has removed the
tracking cookie from MSN.com that could stealthily track users on the site even
after the user deleted all cookies from the Web browser.
The code used on MSN.com
that was responsible for the "supercookies" had already been slated
for removal, Mike Hintze, Microsoft's associate general counsel for regulatory
affairs, said Aug. 19 in a blog post on Microsoft
Privacy & Safety. The company accelerated the removal process after
being alerted by Jonathan
Mayer, a Stanford University researcher who claimed Microsoft used the
powerful cookies on Live.com, MSN.com and on Atlas third-party advertising
networks, which places ads for other companies on the Internet.

The cookie onslaught was
"occurring under certain circumstances as a result of older code that was
used only on our own sites," Hintze said. None of the cookie identifiers
or data associated with them were ever "shared outside of Microsoft,"
according to Hintze.

People could have had the
supercookie installed on their machines without visiting Microsoft Websites
directly, Mayer said. Even if they deleted regular cookies, Microsoft could
have retained information about their Web browsing.
"It is difficult to
estimate the number of users affected by Microsoft's respawning without knowing
more about traffic to Microsoft's Web properties and the conditions under which
it would set [the identifier ID]," Mayer said in his blog.
Mayer's report followed a
study from researchers at the University of California, Berkeley, who found
many Websites used tracking mechanisms that circumvented the privacy settings users
set up on the Web browser. Many sites, including Hulu.com, were saving "supercookies"
on user computers to track users for advertising purposes. Many of these
cookies are designed to re-enable themselves even after being deleted, allowing
companies to track user activity and behavior over time despite cookie
deletions.
Persistent cookies are not
new, as there are a number of techniques used to prevent users from deleting
them. Since the cookies are stored outside the Web browser, switching browsers
to protect privacy doesn't help, according to Askhan Soltani, an
independent security researcher and co-author of the UC Berkeley report. Flash
cookies store user-tracking data in an Adobe Flash plug-in. Cache cookies in
which data is stored in eTags are used to save bandwidth. Microsoft's
supercookie appears to have been a cache cookie, which means the only way to
remove it was to clear the cache as well.
"A Flash cookie
acquired while using Firefox is also available to Websites when using Internet
Explorer," Soltani said on his blog.
Hulu and others were using
cookies from KISSmetrics, which saved cookies onto the user's computer without
notice, even if the user had specified that all HTTP and Flash cookies should
be blocked, Soltani said. At least 515 Websites used KISSmetrics code to allow
cookies to respawn.
Hulu said in a blog post it
was investigating the researchers' claims.
KISSmetrics CEO Hiten Shah
claimed in a blog post the company does not track users across different Websites,
nor does it have the ability to do so. Shah denied the use of persistent
cookies and claimed all users have an opt-out feature.
Websites and advertisers
have faced strong criticism for collecting and selling personal data about
computer users without their knowledge, or without giving users a clear way to
opt out. Despite the industries claims that it could self-regulate itself to
protect consumer privacy, drafts of several "do
not track" privacy
bills are currently making the rounds in both
chambers of Congress.